security testing by ken de souza
TRANSCRIPT
The bare minimum you should know about web application security testing in 2017
Ken De SouzaQA or the Highway, February 2017
V. 1.1.1
Twitter: @kgdesouzBlog: blog.tkee.org
Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
GET https://[redacted].com/orchestration_1111/gdc/BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no-NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&TimeFrom=2014-09-27T09:15:21
GET https://[redacted].com/orchestration_1111/gdc/BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no-NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&TimeFrom=2014-09-27T09:15:21
Source: https://youtu.be/Nt33m7G_42Q
October 21, 2016
https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
This topic is HUGE
The tools don’t replace thinking.
Doing this from my experiences...
Common terminology
Learn something about the threats
Demos of tools
Explain the risks to stake holders
Where to go next
"security, just like disaster recovery, is a lifestyle, not a checklist"
This is not a black and white problem
Source: https://news.ycombinator.com/item?id=11323849
https://www.checkmarx.com/wp-content/uploads/2014/10/SecurityintheSDLC.png
Source: http://www.amanhardikar.com/mindmaps/webapptest.html
This is a practical / experience talk.
These are the tools I use on a daily(ish) basis when I'm testing software.
Your mileage may vary.
The Tools
STRIDE (identification)DREAD (classification)
OWASP Top 10 (attack vectors)nmap / Wireshark / tcpdump (network analysis)
OWASP ZAP (vulnerability analysis)sqlmap (exploitation)
Microsoft Threat Modeling (communication)
STRIDE
Spoofing Tampering Repudiation
InformationDisclosure
Denial of Service
Elevation of Privilege
Source: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
Sources: https://www.owasp.org/index.php/Application_Threat_Modeling http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx
Type Security Control Examples
Spoofing Authentication I am Spartacus
Tampering Integrity Looks like Johnny got an A!
Repudiation Non-Repudiation Didn’t Johnny have a B?
Information disclosure Confidentiality Johnny’s SSN is…
Denial of service Availability Please try again later.
Elevation of privilege Authorization sudo rm –rf /home/johnny
DREAD
Damage Reproducibility Exploitability
Affected users Discoverability
Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx
Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Developer point of view….DREAD Parameter
Rating
Rationale
Damage Potential
5 An attacker could read and alter data in the product database.
Reproducibility 10 Can reproduce every time.
Exploitability 2 Easily exploitable by automated tools found on the Internet.
Affected Users 1 Affects critical administrative users
Discoverability 1 Affected page “admin.aspx” easily guessed by an attacker.
Overall Rating 3.8
Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Tester point of view…DREAD Parameter
Rating
Rationale
Damage Potential
10 An attacker could read and alter data in the product database.
Reproducibility 10 Can reproduce every time.
Exploitability 10 Easily exploitable by automated tools found on the Internet.
Affected Users 10 Affects critical administrative users
Discoverability 10 Affected page “admin.aspx” easily guessed by an attacker.
Overall Rating 10
STRIDE / DREAD
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
OWASP Top 10
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
OWASP TOP 10A1: Injection http://example.com/app/accountView?id='
A2: Broken Authentication and Session Management
http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii
A3: Cross Site Scripting (XSS)
<script>alert('test');</script>
A4: Insecure Direct Object References
http://example.com/app/accountInfo?acct=notmyacct
A5: Security Misconfiguration
Default admin account enabled; directories shown on site;Stack traces shown to users;
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
OWASP TOP 10A6: Sensitive Data Exposure
SSL not being usedHeartbleedBad programming
A7: Missing Function Level Access Control
Access areas where you shouldn’t be able to access
A8: Cross-Site Request Forgery<img src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
A9: Using Components with known vulnerability Not patching your 3rd party sh*t
A10: Unvalidated redirects and forwards
http://www.example.com/redirect.jsp?url=evil.com
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
Vulnerability Tool
A1: Injection SQLMap or ZAP
A2: Broken Authentication and Session Management ZAP
A3: Cross Site Scripting (XSS) ZAP
A4: Insecure Direct Object References ZAP
A5: Security Misconfiguration OpenVAS
A6: Sensitive Data Exposure Your brain…
A7: Missing Function Level Access Control OpenVAS
A8: Cross-Site Request Forgery ZAP
A9: Using Components with known vulnerability OpenVAS, nmap
A10: Unvalidated redirects and forwards ZAP
Demos: Setup
Docker running “Ticket magpie” (https://github.com/dhatanian/ticketmagpie)
docker run -e "SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080
"dhatanian/ticketmagpie"
This container has LOTS of vulnerabilities, designed for learning about web security
The target
nmapwhat ports are open? Where can you attack?
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
What is Wireshark
Network packet / protocol analysis tool
Allows users to capture network traffic from any interface, like Ethernet, Wifi, Bluetooth, USB, etc
Source: http://www.aboutdebian.com/mailfram.gif
Why use Wireshark?
It is a great tool to debug your environment
Help to examine potential security problems
Wireshark:Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
Wireshark Demo
tcpdump:Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
Why use tcpdump?
Use this when you can’t use Wireshark
Great for servers
Example
tcpdump -lnni eth0 \-w dump -s 65535 host web01 \
and port 80
TCPDump Demo
What is OWASP ZAP?
Find security vulnerabilities in your web applications
Can be used both manually and in an automated manner
Why use ZAP?
Can be used to find many of the top 10 exploits
Can be quick integrated into you manual or automated workflow
Can be used in active or passive mode
OWASP ZAP
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
OWASP ZAP Demo
What is SQLMap?
SQL injection tool
Takes a lot of the exploits available and automates them
SQLMap
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
SQLMap Demo
Threat Modeling - What is it?
A way to analyze and communicate security related problems
This is a much larger topic than we have time for
… but I’ll give you the basics
Threat Modeling - Why do this?
To explain to managementTo explain to customers
To explain to developers, architects, etc.
With the tools I just showed you, you now have the basics to be able to build a model
Threat Modeling:Communicating it…
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
Threat Modeling
Step 1: Enumerate– Product functionality– Technologies used– Processes– Listening ports– Process to port mappings– Users processes that running– 3rd party applications / installations
Threat Modeling
Step 2: Data flow with boundaries
Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat-modeling-you-apps.aspx
MS Threat Risk Modeling Tool Demo
Threat Modeling
Threat ModelingCan be done at various stages of the SDLC
https://www.checkmarx.com/wp-content/uploads/2014/10/SecurityintheSDLC.png
Other really good tools
netstatnslookup
psbrowser dev tools
All these tools, help to answer the question
Is your application secure?
Where to go next?
Read!
https://seclist.org
Read!
Read!
Bug bounties
shodan.io
Practice
https://thetestdoctor.wordpress.com/2016/10/11/introducing-ticket-magpie/
Practice
https://xss-game.appspot.com
To conclude…
Be aware and prepare yourself for the worst.
Coming up with a plan is important
Understanding vectors is important
Thanks!
References
• Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
• Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/security-ninjas-opensource
• Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-a-case-study
• Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx• Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities:
http://www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-vulnerabilities • Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-application-threat-
modelling-by-example• The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/• Threat modeling example: http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx